Generate TLS certificate signed by root certificate

generate-root-certificate.sh

#!/usr/bin/env bash
set -o errexit -o pipefail -o nounset
IFS=$'\n\t'

ROOT="$(dirname $0)/root"

if [[ -f $ROOT.key || -f $ROOT.crt ]]; then
    echo "Root certificate already exist"
    exit 1
fi

mkdir -p "$(dirname $ROOT)"
openssl req -new -newkey rsa:2048 -sha256 -days 3650 -x509 -extensions v3_ca -keyout "$ROOT.key" -out "$ROOT.crt"

generate-signed-certificate.sh

#!/usr/bin/env bash
set -o errexit -o pipefail -o nounset
IFS=$'\n\t'

if [[ "$#" -ne 1 ]]; then
    echo "Usage: $0 <domain>"
    exit 1
fi

DOMAIN="$1"
NAME="$(dirname $0)/$DOMAIN"
ROOT="$(dirname $0)/root"

# generate private key
openssl genrsa -out "$NAME.key" 2048

# generate signing request
openssl req -new -sha256 -subj "/CN=$DOMAIN" -key "$NAME.key" -out "$NAME.csr"

# generate extensions file
echo "subjectAltName = DNS:$DOMAIN" > "$NAME.ext"

# generate public certificate
openssl x509 -req -sha256 -days 3650 -extfile "$NAME.ext" -in "$NAME.csr" -CA "$ROOT.crt" -CAkey "$ROOT.key" -CAserial "$ROOT.srl" -CAcreateserial -out "$NAME.crt"

# remove signing request and extensions file
rm "$NAME.csr" "$NAME.ext"

# generate packed pem file for Caddy
cat "$NAME.crt" "$NAME.key" > "$NAME.packed.pem"